[OpenID] Trust + Security @ OpenID
Gabe Wachob
gabe.wachob at amsoft.net
Fri Jul 20 16:44:58 UTC 2007
Are you guys talking about RFC2817 - HTTP Upgrade to TLS
(http://www.ietf.org/rfc/rfc2817.txt)
I'm not sure how well that's implemented at all. In fact, I'd be surprised
if most common http libraries and servers implement it (though I have been
surprised in the past!)
-Gabe
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of John Panzer
> Sent: Friday, July 20, 2007 7:59 AM
> To: Dmitry Shechtman
> Cc: general at openid.net; security at openid.net
> Subject: Re: [OpenID] Trust + Security @ OpenID
>
> Dmitry Shechtman wrote:
> > The attack vector: I poison your local DNS resolver, or proxy all
> > traffic, so that http://foo.blogspot.com actually resolves to
> > http://evil.org's IP. If you follow the 302 redirect, you could be
> > allowing evil.org to tell you what the "canonical" URL is. For example
> > it could do a 302 redirect over to https://evil.org which presents a
> > valid certificate and which can masquerade as the user's OP, capturing
> > their password. (For users who check URLs, it could be
> > https://my.open1d.org instead of https://evil.org.)
> >
> >
> >
> > Pardon my ignorance regarding TLS, but I don't see what protection it
> > would provide against such an attack. Is TLS similar to SSL with the
> > exception of http prefix usage?
> >
>
> Sorry! Yes. TLS in this context means negotiating to do SSL over port
> 80 via HTTP 1.1 mechanisms. Once the client and server upgrade, it's
> effectively the same security as https. Specifically the client is sent
> a server certificate which proves that they are (say) foo.blogspot.com.
>
> (If someone knows differently, please correct the above.)
>
> -John
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list